From 942885a519471aa18706f6b48400beb9c009d329 Mon Sep 17 00:00:00 2001 From: Stephen Cprek Date: Thu, 20 Apr 2017 11:02:58 -0500 Subject: Sign and Verify the hostboot runtime partition (port from p8) Change-Id: I04d303b2fe08a9c3fff4e9f3cc0be9768279637d RTC: 171706 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39521 Tested-by: Jenkins Server Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins OP Build CI Tested-by: FSP CI Jenkins Reviewed-by: Michael Baiocchi Reviewed-by: Daniel M. Crowell --- src/build/buildpnor/genPnorImages.pl | 11 +++++++---- src/usr/runtime/populate_hbruntime.C | 8 ++++++++ src/usr/testcore/rtloader/loader.H | 21 ++++++++++++++++++--- 3 files changed, 33 insertions(+), 7 deletions(-) diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 5edc38d0a..d343c50c9 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -537,8 +537,9 @@ sub manipulateImages # Sections that have secureboot support. Secureboot still must be # enabled for secureboot actions on these partitions to occur. # @TODO securebootp9 re-enable with SBE/SBEC/PAYLOAD secureboot ports - my $isNormalSecure = ($eyeCatch eq "SBE"); - #$isNormalSecure ||= ($eyeCatch eq "HBRT"); + my $isNormalSecure ||= ($eyeCatch eq "HBBL"); + $isNormalSecure ||= ($eyeCatch eq "SBE"); + $isNormalSecure ||= ($eyeCatch eq "HBRT"); #$isNormalSecure ||= ($eyeCatch eq "SBEC"); $isNormalSecure ||= ($eyeCatch eq "PAYLOAD"); #$isNormalSecure ||= ($eyeCatch eq "OCC"); @@ -547,9 +548,11 @@ sub manipulateImages my $isSpecialSecure = ($eyeCatch eq "HBB"); $isSpecialSecure ||= ($eyeCatch eq "HBD"); - $isSpecialSecure ||= ($eyeCatch eq "HBBL"); #$isSpecialSecure ||= ($eyeCatch eq "HBI"); + # Used to indicate security is supported in firmware + my $secureSupported = $isNormalSecure || $isSpecialSecure; + # If there is a non-default header for this section, use it instead my $header = $sb_hdrs{DEFAULT}; if(exists $sb_hdrs{$eyeCatch}) @@ -609,7 +612,7 @@ sub manipulateImages $fsp_prefix.=".header"; # Add secure container header # @TODO RTC:155374 Remove when official signing supported - if ($secureboot && $isSpecialSecure) + if ($secureboot && $secureSupported) { $callerHwHdrFields{configure} = 1; # @TODO securebootp9 re-enable hash page table with vfs page table port diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index 995f76302..93ed6e4ee 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -913,6 +913,14 @@ errlHndl_t populate_HbRsvMem(uint64_t i_nodeId) l_label = HBRT_RSVD_MEM__CODE; l_labelSize = strlen(l_label) + 1; +#ifdef CONFIG_SECUREBOOT + l_elog = loadSecureSection(PNOR::HB_RUNTIME); + if(l_elog) + { + break; + } +#endif + PNOR::SectionInfo_t l_pnorInfo; l_elog = getSectionInfo( PNOR::HB_RUNTIME , l_pnorInfo); if (l_elog) diff --git a/src/usr/testcore/rtloader/loader.H b/src/usr/testcore/rtloader/loader.H index 8914c709b..a5167ff45 100644 --- a/src/usr/testcore/rtloader/loader.H +++ b/src/usr/testcore/rtloader/loader.H @@ -43,6 +43,7 @@ #include #include #include +#include trace_desc_t* g_trac_hbrt = NULL; TRAC_INIT(&g_trac_hbrt, "HBRT_TEST", 2*KILOBYTE); @@ -54,11 +55,25 @@ class RuntimeLoaderTest : public CxxTest::TestSuite void testLoader() { static const uint64_t HEADER_OFFSET = 0x2000; - + errlHndl_t l_errl = nullptr; + +#ifdef CONFIG_SECUREBOOT + // load secure section + // TODO RTC: 157475 Since this is a test case and unload is + // merely a stub function at this point in time, add a call + // to unload later when the aforementioned story is implemented. + l_errl = loadSecureSection(PNOR::HB_RUNTIME); + if(l_errl) + { + TS_WARN("Could not securely load runtime section."); + delete l_errl; + l_errl = nullptr; + return; + } +#endif PNOR::SectionInfo_t runtimeSection; - errlHndl_t l_errl = - PNOR::getSectionInfo(PNOR::HB_RUNTIME, runtimeSection); + l_errl = PNOR::getSectionInfo(PNOR::HB_RUNTIME, runtimeSection); if (l_errl) { -- cgit v1.2.1